Feeds

back to article Android, heal thyself

Google's Android mobile operating system is now on a par with others when it comes to security, says Accuvant security researcher Joshua Drake, aka jduck. But there are still problems in the operating system, not least a staggered update process. Then there's webkit, which permeates the operating system but is developed …

COMMENTS

This topic is closed for new posts.

This post has been deleted by a moderator

Silver badge
Joke

Re: Unfinished thought?

Sent from my Android 2.3 phone.

1
0
Anonymous Coward

Updates

Updates, what updates? Sent from my 1.6 donut. The one with a huge hole in the middle.

1
1
Anonymous Coward

Re: Unfinished thought?

Does this mean it is becoming a walled garden?

0
0
Bronze badge

Re: Unfinished thought?

Funny, my op first post was deleted, but still standing is your reply. My post was only a quote of the original sentence, where the period was replaced by "that makes".... People ahe been worse, sometimes cruel to mods, yet not many i have seen were outright deleted. I better not be the fp anymore, hahahaha...

0
1
Bronze badge

Re: Unfinished thought?

Ah, tht must be bt, by george! Of forgot to or neglected to click on the "Joke" icon. Stupid me.... Must have been perceived as ridicule. Blast me... I better be more mindful.

0
1
Bronze badge
FAIL

Latest Android may be secure

But UK carriers will wait 6-9 months before passing it along, if they ever do at all.

3
0
Anonymous Coward

Re: Latest Android may be secure

Exactly - if ever - I have an Android handset that is basically junk as no updates available and it was literally 12 months old. Now wishing to harp on about iPhones but a mates 3GS is now 4 years old and still going strong and runs the latest iOS 6. I have another (newer) handset that cannot be upgraded further so is now ageing - bottom line is you are lucky to get 12-28 months out of most Android handsets so bit wasteful and expensive.

I know many people upgrade every 18 months but many do not or do not NEED to but with Android they NEED to. Personally I prefer a SIM only contract and upgrade when I want - that may be after 12 months or after 3+ years if I choose.

2
2
Anonymous Coward

Re: Latest Android may be secure

"Exactly - if ever - I have an Android handset that is basically junk as no updates available and it was literally 12 months old. Now wishing to harp on about iPhones but a mates 3GS is now 4 years old and still going strong and runs the latest iOS 6."

Moot!

I had a droid for years now and never EVER had any issues!

2
4

Re: Latest Android may be secure

Don't get me wrong, the situation with updates in Android isn't good enough and there are too many phones that are not getting them.

However, not getting the updates does not make them junk. The OS does not have an expiry date built into it and continues to function long after newer releases come out. I'm using a phone with 2.3 on it and while eagerly await my upgrade in February (because I have a tablet running ICS and it's just better) the phone still does everything the box it came in said it would do.

So there are actually several options: you can accept you aren't going to get the latest release and use the phone until it dies you you are due an upgrade from your operator (I would argue that most users are fine with this) you can install a newer version yourself via Cyanogenmod or something similar, or you can research the phone you buy and buy one from a manufacturer/operator with a good track record of updates (or a Nexus).

So, the situation isn't ideal, but you have more options than you do with other OSes.

1
0
Silver badge
Facepalm

Re: Latest Android may be secure

The podcast is about how security was bodged in initial releases and is better in newer versions. The fact phones running old versions don't stop running is irrelevant, they are insecure compared to phones running later versions.

It's difficult to seriously argue that phones that don't get updates are better than ones that do...

3
2

This post has been deleted by its author

WTF?

Re: Latest Android may be secure

"It's difficult to seriously argue that phones that don't get updates are better than ones that do..."

@sabroni:

Who is trying to argue that phones that don't get updates are better than ones that do?

I am challenging the A/C's statement that phones that do not get the updates are "junk", on the grounds that, while they may be less secure, they still work and can often be upgraded using other, admittedly flawed, methods but it's quite clear from my post that I feel getting updates is preferable to not getting updates.

1
1
Silver badge
Thumb Down

will be improved by users upgrading to newer versions

Users upgrading? Users?

That's loads of phones to throw away, then.

Was it too much to hope that an OS with a unix heritage and written entirely in the 21st century would have been secure by design?

1
0
Anonymous Coward

Re: will be improved by users upgrading to newer versions

UNIX is NOT secure by design. It is impossible to make an operating system secure by design. And besides, the major security flaw in any system is always the user.

Believe me, I've crushed too many "secure-by-design" systems during routine pentests to do anything but laugh when $corporation promises "MOST SECURE OPERATING SYSTEM EVER".

Looking at you, Kaspersky.

2
0
Silver badge

Re: will be improved by users upgrading to newer versions

> It is impossible to make an operating system secure by design.

Maybe. But it seems entirely possible to make an OS less secure by poor design.

0
0
Silver badge

Re: will be improved by users upgrading to newer versions

The whole application deployment model of Android and iOS is different from UNIX, and seriously alters the security model.

With UNIX, you have the concept of a superuser, which is responsible for the installation of applications which are then used by non-privileged users.

Android does away with the requirement to use superuser to install applications. Instead, Google have invented an application deployment framework that sits above the OS and runs as a single non-privileged user, which handles all application installation and execution, as well as making it the guardian of user data. As a result, the traditional UNIX security model is not involved.

In many cases, it is not the Android OS per-se that is compromised by the security vulnerabilities. It is the application and/or the users data. This is a fault in the execution environment (Dalvik?), not in the underlying OS.

Please don't confuse the two.

0
0
Thumb Down

@AC 9:42 "impossible to make an operating system secure by design"

>impossible to make an operating system secure by design

Oh really? what other technique would you suggest? magic? bribery? barbed wire? wishful thinking?

1
0
Anonymous Coward

Users barely bother to upgrade their handsets leaving a big security issue - at least the iPhone makes it easy and all handsets still in use (i.e. 3GS+) are still being supported. That is a big deal.

4
2
Anonymous Coward

One can always dream.

1
0
Bronze badge

" is now on a par with other.................

...........Then there's webkit, which permeates the operating system but is developed independently of Android."

It is a near bog standard computer system designed to compete with OS/X and Windows.

No one owns us there which is as much its own problem.

And there is nothing wrong with dated OS.

Why get your smartphone multi crippled by the latest updates?

Half the time it is as if the update is designed to kill your phone.

0
1
Anonymous Coward

Fragmented updates

Manufacturers and carriers are hardly falling over themselves to push out updates in a timely manner.

Still waiting for ICS and UI hardware acceleration on my G300 (on vodafone) which has been 'coming soon' for several months now!

1
0
Silver badge

User's upgrading???

Not likely, this is the 21st century and phone users treat them very differently to computers - even if you are to tell them that the phone in their pocket has as much computing power as a desktop computer of only a few years ago.

A smart phone is a commodity device - they need to effectively manage themselves. This means automatic over the air updates, preferably wireless so as to not blow mobile data limits but if the carriers got involved properly could even be excluded from mobile data limits. Various carriers have implemented custom features for specific manufacturers of phones, so this isn't out of it by a long shot. The upside for a carrier is that despite the additional bandwidth, which frankly doesn't cost them a lot, they will benefit from likely having less malware and problems on their network keeping it cleaner generally and better performing phones are more likely to retain the carrier's loyalty because the majority of users are likely to associate carrier and phone performance together.

However these updates must be diff. based, not enormous downloads of the entire OS for every update... as soon as the updates get big and require frequent restarts then users will try to find ways around having them happen as they'll see them as a meaningless bind.

1
0
Silver badge

Trouble with upgrades...

First the Android operating system gets updated.

Then the phone manufacturer adds their bits

Then the phone operator adds their bits.

So if a vulnerability is found today and the patch developed the same day, it could be months before the update hits your phone.

And sometimes it will die at one of those steps and you'll never get patched. Like HTC saying they would not produce an update the Desire phone (which they changed their mind about after pressure from the public).

Yea, you could stick on a different ROM and update it that way, but we are talking the public here, not us geeks. Most won't know how. Many won't even know what an update is.

To those who know more about the inner workings of Android:

Is there a way to produce a generic patch for some problems? Not a full build, but replacement of one or two common files that are not dependant on device or carrier?

0
0

AppArmor

the thing Android needs is AppArmor for every App.

put an end to apps messing around where they should not be messing.

0
0
clp
Happy

A sense of perspective

I am not overly concerned with Android security, because it is still at the level of not working and not being fit for purpose.

I want my HTC Desire Z (Android 2.3 - no more updates forthcoming except if I had time and inclination to hack one in) mail client and Exchange (2010) ActiveSync to work reliably, not just occasionally, to sync contacts straight away, instead of after a few days or maybe not at all. I want it to send just a single copy of each email I send, rather than timing out, giving me an error meanwhile the message have gone to my Sent folder while it gets ready to send the next copy. In short it is fatally broken.

For a while a used a third part email client, which solved the time out and multiple email send issues (ahah, at least it's not a hardware issue) when sending over SMTP, but it did not support Exchange 2010. I tried another apparently highly regarded mail client for ActiveSync, but that spent half the time crashing, after which I decided I really didn't have time for this stuff.

All that might be due to bugs in Android, HTC software or whatever Vodafone put on top, but that effectively leave me nowhere to go to look for a resolution. It has seriously blighted my experience of Android and I would be very reluctant to spend out on another Android phone.

My solution to the email issues has been to buy a Blackberry, which at least works reliably and fast, except for lacking native Exchange ActiveSync at this present time.

So, my only experience of an Android device is it's great as an internet toy, media player and telephone, but worse than useless as a serious piece of business kit. Security? Don't make me laugh.

Thanks for listening :-)

0
0
This topic is closed for new posts.